Re: [ossec-list] Level 10 messages for whitelisted IP's

[Binet, Valere (NIH/NIA/IRP) [C]]

Your personal rules go in /var/ossec/rules/local_rules.xml

Example :
  <rule id="100078" level=“0">
    <if_sid>5703,31161</if_sid>
       <srcip>1.2.3.4</srcip>
       <description>Ignore this</description>
  </rule>

Rule id must in the 100000 range
Level 0 means ignore the alerts
if_sid the rule number you get in the message, can be a list of several rules.

More info at 
http://ossec-docs.readthedocs.org/en/latest/syntax/head_rules.html?highlight=rules

Valère Binet [C]
IT Security Administrator
Kelly Government Solutions On-Site at the NIH
NIH / NIA / IRP
Tel : 410 558 8013
mailto:  bin...@nia.nih.gov

NCTS performance comments and survey at:
https://niairpkiosk.irp.nia.nih.gov/content/ncts-user-survey

From: "H.Merijn Brand" <h.mer...@gmail.com<mailto:h.mer...@gmail.com>>
Reply-To: "ossec-list@googlegroups.com<mailto:ossec-list@googlegroups.com>" 
<ossec-list@googlegroups.com<mailto:ossec-list@googlegroups.com>>
Date: Wednesday, June 10, 2015 at 2:03 PM
To: "ossec-list@googlegroups.com<mailto:ossec-list@googlegroups.com>" 
<ossec-list@googlegroups.com<mailto:ossec-list@googlegroups.com>>
Subject: Re: [ossec-list] Level 10 messages for whitelisted IP's

Can you give a hint in where to write those new rules and where I could nick an 
example?

Op woensdag 10 juni 2015 16:25:34 UTC+2 schreef Michael Starks:
On 06/10/2015 05:08 AM, H.Merijn Brand wrote:
> Running ossec-hids-2.8.1 on OpenSUSE 13.2
>
> I have several (trusted) IP's in /var/ossec/etc/ossec.conf's <whitelist>
> section, like
>
> --8<---
>   <global>
>     <white_list>127.0.0.1</white_list>
>     <white_list>^localhost.localdomain$</white_list>
>     <white_list>1.2.3.4</white_list>
>     :
> -->8---
>
> but ossec still spews lots of messages like
 <snipped>

Whitelisting is for active response, not alerts. Write some rules to
filter out the alerts you don't want to see.


--

---
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to 
ossec-list+unsubscr...@googlegroups.com<mailto:ossec-list+unsubscr...@googlegroups.com>.
For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.